1S9STOEN_26-5-17_ADL300_STO_STO Pag. 12/30
4.3 Safety integrity level
PDS STO function provides two independent safety channels/paths. A fault on a channel should
not interfere with operation on the other channel.
Safety architecture has been designed to be fault tolerant with a fault tolerance of 1. This means
that whatever failure occurs in the system safety is still guaranteed.
Each channel will be activated/deactivated by a different input. Inputs are safely separated and far
from each other to guarantee electrical and functional isolation.
Inputs will be called respectively:
- ENABLE
- SAFETY ENABLE
A limit on probability of random failure per hour (PFH) should be calculated on a time-span of 20
years (mission time). PFH is less than 1x10
-9
. Safety Integrity Level classification according to
EN61800-5-2/EN61508 is SIL3.
4.4 Safety Fault Reaction System
Hardware mechanisms on both Regulation and Safety circuits have been established to detect
and react to a fault detection.
Signals DRIVE OK and SAFETY OK are provided to issue fault alarms to external monitoring
devices.
Normal behavior of these signals is described in ADL300 User Manual:
• SAFETY OK signals are internally connected to a fixed hardware controlled relay which
diagnoses and identifies failures into the safety circuit. SAFETY OK relay behavior is
described in Table 4. Asserting an alarm on a SAFETY OK signal means the feedback
signal status does not comply with behavior described in Table 4.
• DRIVE OK relay behavior is software conFigureble. Default conFiguretion acts so that relay
is closed if drive ADL300 is ready for receiving an ENABLE signal. DRIVE OK
conFiguretion must be mandatorily changed into Digital Input Monitor for ENABLE
signal in case of contactor-less applications (§ 7.2 Lift Application Design supporting
contactor-less car stop.).
In case hardware/software onto Regulation board detects some faults it will assert a Safety Failure
Alarm, preventing drive from restarting again till the alarm is manually cleared by qualified
personnel.
In order to make failures more evident and take system to a safe state independently of external
monitoring device, safety function has been designed so that most of the detected failures actually
block the ADL300 when drive is being normally operated. All detected failures shall raise alarm
issues by means of feedback signals.
Regualtion board executes all possible integrity checks anytime before starting generating PWM
pulses:
- Check ENABLE signal
- Check SAFETY ENABLE signal
- Check SAFETY OK consistency
To Next Page
Loading...
Need help?
General